i am trying to verify hash password stored in database with the password user enters to login. But i am unsuccessful with it. I am using password_verify to compare the passwords but its not giving the answer true even if i am entering correct password. Please help me!!
<?php
print_r($_POST);
include('connect.php');
var_dump($_POST);
print_r($_POST);
$tbl_name = 'userC';
if(isset($_POST["USERNAME"]) && isset($_POST["USER_PASSWORD"]))
{
$username1 = $_POST["USERNAME"];
$password1 = $_POST["USER_PASSWORD"];
}
// To protect MySQL injection
$username1 = stripslashes($username1);
$password1 = stripslashes($password1);
$stid = oci_parse($conn, "SELECT * FROM $tbl_name where
user_name='$username1'");
$result = oci_execute($stid);
//$re = oci_fetch_all($stid,$abc);
while(($row = oci_fetch_array($stid,OCI_BOTH)) != false )
{
$password = $row[6];
$username = $row[2];
$re = 1;
}
if(isset($password))
{
if (password_verify($password1, $password))
{
$re1=1;
}
else
{
$re1 = 0;
}
}
else
{
$re1 = 0;
}
// If result matched $username and $password, table row must be 1 row
if($re >= 1 && $re1 >= 1)
{
// Register $username, $password and redirect to file "login_success.php"
session_start();
$_SESSION["username"] = $username;
header("location:form.php");
}
if($re < 1) {
$failed = 1;
header("location:login.php?msg=failed");
}
if($re1 < 1) {
$failed = 1;
header("location:verify.php?msg1=failed");
}
?>
答案 0 :(得分:1)
从代码中删除$password1 = stripslashes($password1);。在将输入的密码传递给password_verify(或同一事件password_hash)之前,您不应以任何方式修改输入的密码。
顺便说一下,stripslashes 不会保护您免受SQL注入攻击。使用准备好的陈述和oci_bind_by_name代替:
$stid = oci_parse($conn, "SELECT * FROM $tbl_name where user_name=:uname");
oci_bind_by_name($stid, ":uname", $username1);
$result = oci_execute($stid);